Your CEO just returned from a two-week business trip. Company data is normally backed up to the network via VPN, but not this time. The only copy resides on your CEO’s hard drive and it can’t be accessed. You’ve been contacted because that data is mission critical to the enterprise and your CEO wants it back—NOW!
You assess the situation and that’s when you hear it….the “click of death.” The hard drive has suffered physical damage. The read/write heads are clicking loudly, threatening to destroy the data on the platters. Your CEO has emphasized the critical nature of that data, which can no longer be accessed through normal means. What do you do?
1. Shut the computer down immediately! If the device is making noises of any kind, don’t power it up again or try to run recovery software. The clicking sound you hear may be the sound of digital media being erased from the platters…forever. Off-the-shelf data recovery software might be a good solution for a functioning hard drive, but it can do more harm than good to a physically damaged drive.
2. Call a professional data recovery service provider. This is your only hope for recovering data from a physically damaged drive. But before you call a local vendor who offers a “fast and cheap” solution, hold the phone! Ask yourself, “Are they qualified to handle confidential data?” (Remember, your CEO said the information was “critical to the enterprise.”)
During the data recovery process, data may be exposed to identity theft, permanent media damage, the downloading and improper use of confidential files, a breach of data on unprotected networks, and the installation of malware onto hard drives returned with recovered data. Your “cheap” recovery solution could result in a very expensive security problem.
In a study conducted by the Ponemon Institute on the “Security of Data Recovery Operations,” based on a survey of 636 IT support professionals, 83 percent reported that their companies had suffered at least one data breach in the past two years; of the 83 percent, 19 percent said the breach occurred when a drive was in the possession of a third-party data recovery service provider, and 43 percent said the breach was due to a lack of data security protocols. To help other IT professionals avoid the risk of data breach when third-party data recovery services are required, the Ponemon Institute generated a list of criteria that could be used to vet data recovery companies to determine their recovery capabilities and data security standards. Those criteria are summarized below.
Data Loss Dos and Don’ts
How to Avoid Catastrophic Data Loss
- Have a recurring and redundant backup strategy in place.
- Keep a copy of stored data off site.
- Test and verify your backups regularly.
- Before disaster strikes, create a relationship with a trusted data recovery service provider who can support your needs. Vet that vendor annually.
Tips for Desktop or Portable Devices
- Back up users’ critical files often – to the network, external drives, and/or DVDs.
- Shut the computer down immediately if the drive is making any unusual sounds.
- Update data security software regularly.
- Scan all incoming data for viruses.
- Avoid static discharge when handling digital media.
- Upgrade the operating system without a verified backup.
- Power up a device with physical damage or a device that is making unusual sounds.
- Use recovery software on physically damaged drives.
Tips for Multiple Disk Drives
- Use a volume defragmenter regularly.
- Label each drive’s original position before removing from RAID array.
- Run defragmenter utilities on suspected bad drives.
- Restore data to a server that has lost data.
- Replace a failed RAID drive with a drive from another working RAID system.
- Attempt original information store or database file repairs in Microsoft Exchange or SQL failures; always perform recoveries on a copy.
- Run volume repair utilities on suspected bad drives or in a power loss situation.
Tips for Encrypted Data
- Keep encryption username, password, and/or key in a secure and quick-to-find location.
- Remember to back up your data; encrypted devices can fail or become corrupted.
- Run conventional recovery tools on encrypted devices.
- Decrypt a drive or set of sectors more than once.
- Lose your key – if you lose your security key, your data may be gone forever.
3. Before turning over sensitive data, ask your recovery service provider for proof of the following standards:
Proof of an annual audit report (i.e., SAS 70 II). Independent parties conduct annual audit reports of the provider’s internal IT controls and data security safeguards. These written reports verify that controls and safeguards are not only in place, but working properly. They consider the integrity of the vendor’s data recovery facilities, data hosting solutions, and the security of their IT assets. The vendor’s controls and safeguards should support the same data security acts and guidelines that your company must uphold by law (i.e., SOX, HIPAA, GLBA, FERPA, DAR, etc.).
Confirmation that they operate an ISO-5 (Class 100) cleanroom. Physically damaged drives must be spun up while open, exposing sensitive drive platters and delicate solid-state components to dust particles and contaminants. An ISO-5 (Class 100) cleanroom is a contamination-free environment that ensures that critical processes will not be affected by everyday pollution in the air stream. A Class 100 clean bench is no substitute for a Class 100 cleanroom.
Encryption training certifications. There are dozens of different encryption solutions out there; each one advocates a different data recovery technique for successful results. Before handing over your drive and the “keys to your kingdom,” make sure your recovery provider knows how to safely and properly handle encryption keys, and can offer custom solutions for recovering and returning encrypted data. Verify that the provider’s data recovery engineers have been trained by all of the leading encryption software manufacturers.
Background checks on their employees. The Ponemon study revealed a case where a data recovery service provider actually employed engineers that had been convicted of identity theft. The engineers rescued and returned data for an international credit card company, and later used recovered passwords and account information to help themselves to bank accounts!
Proof that data on your old, unwanted drive has been permanently destroyed. If you want the vendor to recycle your damaged drive, ask for written verification that they destroyed the drive and its data. Using a DoD-approved degausser is the best way to guarantee secure and permanent data destruction.
Vetting Your Vendors: Who Is Handling Your Data?
There are various points during the data recovery process where your data is at risk:
- Negligent or unethical data recovery technicians:
- Risk of downloading and improper use of confidential data
- Risk of identity theft and fraudulent financial transactions
- Risk of permanent data loss
- Unprotected networks housing restored data files are at risk of data breach
- Risk of lost or compromised data during transit
- Risk of data exposure resulting from the improper disposal of unwanted storage devices
- Risk of recovered data returned with malware
4. Expedite the recovery process—know the device and its symptoms. Before the recovery process can begin, your service provider will need details about the computer system or storage device that has failed. Be prepared to answer the following questions to expedite the recovery process:
What operating system was running (i.e., Windows, Mac OS, LINUX/UNIX, etc.)?
What type of device is it (i.e., removable flash (SSD) drive, hard disk drive, multidisk server, etc.)?
Who manufactured the device?
What is the drive interface (i.e., SATA, IDE, SCSI, Firewire)?
What is the problem with the device (i.e., clicking, grinding, won’t spin up, etc.)?
What attempts have been made to resolve the problem or recover the data?
What files and folders are the most important?
What directories, software applications, and versions were used to create those files?
Is the drive encrypted? Partitioned?
Are there any user names or passwords required to access the device?
5. Avoid future data loss. All storage devices eventually fail. Even cloud storage solutions are not foolproof. (Just ask the service providers that recover lost data for them!)
Your organization’s data is one of its most important assets. How you protect it and what you do when disaster strikes are issues of critical importance.
The best protection from data loss is a solid backup strategy. But when disaster strikes—as it often does—avoid a catastrophic data loss by following the tips provided in the side bar, and have the phone number of a trusted data recovery service provider on your speed dial.
Before sending damaged storage devices out to a vendor for data recovery, follow this advice from the National Institute of Standards and Technology (NIST SP 800.34, Section 5.1.3): “Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment.”
Michael Hall is the CISO for DriveSavers Data Recovery, Inc., where he directs and implements policies and procedures concerning the privacy and security of all data received at DriveSavers, including highly critical data from government agencies, major corporations, and research laboratories. He has over thirteen years of experience in data recovery technology, focusing on high-end arrays, and has successfully recovered data from over 15,000 storage devices. Michael can be reached at